Strategic insightsUsable Security - Reply to "Security Now"

Update - July 28, 2011: Since writing this article, Steve Gibson have apparently had an epiphany that real password security is not the result of making it complex, but rather the result of making it longer. That is exactly the same thing I have been saying since 2007.

Steve suggest that you pad your password (which can be anything - even very simple ones), I suggested that you should just add more words. The result is the same. A password like "a beautiful summer day" (my concept - 3+ words) is just as secure a password like "............summer...." (Steve concept) - try it out yourself with Steve's own password checker.

Steve says he thought about this all on his own, and that "nobody else" had thought of it before... but come one Steve.

But I am glad that you have finally seen the light. And, I welcome you to your new world of usable passwords that are both secure and easy to remember.

-----

Back in 2007, I wrote an article about password security. Specifically how you could create a simple and usable password while remaining secure. In that article, you can read that it is 10 times more secure to use "this is fun" as your password, than "J4fS<2".

The article is the 6th most popular article of all times on Baekdal.com. It has been read 1,364,640 times and last week it suddenly spiked again.

Many people have commented that I am wrong. They say that the password can be hacked much faster (using rainbow tables and similar), that it is not random enough, that it is too simple etc.

It culminated yesterday, when the highly respected security expert, Steve Gibson of GRC, talked about it in his popular podcast "Security Now" - along with Leo Laporte.

Note: I deeply respect Steve and Leo, and I frequently watch the podcasts, as well as many other shows on Twit.tv.

Steve basically said the same thing as many others. It can be hacked a lot faster. It is not random enough. it is too simple.

He is absolutely right and I agree with what he said. But, does that mean I am wrong? Well, no - not really. Let me explain.

You can always make a password more secure by adding complexity. But you will also very quickly reach a point in which it is no longer usable.

You cannot remember a password like "8;dU2i2{xs1*hT#4A9tccT." And even if you could, it would be really annoying to type.

The time and agony involved in using that password would costs too much, compared to the low risk of using the much simpler "this is fun" (which is still 11 characters long and quite secure).

The questions you need to ask are. When is a password secure enough? At what point do I no longer need to make it more complex (either by choice or by circumstance)?

When Steve talked about my article, he pointed out that there are two different types of password hacking. Online and offline.

Online

Online hacking involves sending as many requests as you can to a site. But because of network latency, bandwidth and server speeds, the number of requests a hacker can make are limited. In the article, I put that number at 100 requests per second (which is fairly high).

That means that you have to make the password complex enough to make it impossible to hack - using 100 requests per second. A password like "this is fun", using a common word dictionary attack, would take 2,537 years to hack!

That has to be good enough, right?

Even if we used a much smaller dictionary, with say 1,000 words, that is still 1 billion combinations, with 100 requests per second, it would take 115 days of continued hacking.

Imagine someone trying to hack your account on Facebook, by sending 100 requests per second, 115 days in a row. Facebook would shutdown the hacker long before he would get a match.

But I am not saying you should use "this is fun", that was just an example. I am urging you to use 3+ words, preferably uncommon words - like "fluffy is puffy". Using that password, the hacker would not be able to use the 1,000 words dictionary. He would instead need to use a much bigger one.

It would take 39,637,200 years to hack.

Security people, like Steve, also recommend that you capitalize some characters and maybe use something else than a space between the words like "fluFfY%is%pUFfy"

That would certainly increase the complexity, and make it nearly impossible to hack. But it also makes it really hard for you to use. Just trying to remember which characters that are uppercase gives me a headache. Trying to type them into an iPhone would be a nightmare.

Besides, you don't need to do that. The lower-case password is already secure enough for online use.

Offline!

What about offline hacking? Many point to the case of Gawker, in which a hacker hacked their server and downloaded the database with your username and passwords.

In that case, complexity really doesn't change a thing. The hacker did not hack your password. He hacked the server, and got the password directly from the database.

Nothing you can do changes that. You have no control over how a server stores your password. Once a hacker is in the server your have to assume that your password, and your data, is compromised.

You cannot assume that your password is safe, because you have no idea how it is stored. As a user, you have to accept the risk that the server might be hacked.

Steve Gibson then provides excellent advice to server administrators, in how to secure people's password. What the server administrator needs to do, is to take your password, encrypt it using a long and complex salt value, and then store the hashed value (of the salted password) in the database.

That way, a hacker would not be able to decrypt the password, even if he had hacked the server.

But here is the thing. If the server administrator does that, it doesn't matter how complex your password is. You could use passwords like "mickey" (very simple), "this is fun", "fluffy is puffy", or "8;dU2i2{xs1*hT#4A9tccT" - and they would *ALL* be equally impossible to hack.

The salted password hash is what provides the security. What you use, as a user, is irrelevant.

The only thing you need to be concerned about, is to make it secure enough so that it cannot be hacked "online".

No collateral damage

This leads us to the final point - collateral damage. You need to make sure that if a server is hacked, it is not going to affect any other sites you might use.

The Gawker incident is again a good example.

The only people this was a problem for, where the people who had used the same password on Gawker, as they had on other sites like Gmail, Twitter, and Facebook.

Nobody else cared about it because the hacker couldn't do anything with their passwords. Sure he could post a comment in your name, but that was pretty much it. Just reset the password and get on with your life.

No level of password complexity would have solved that. The problem was not the password itself. The problem was that some people use the same password across different sites.

The solution is simple. Do not use the same passwords on different sites. If a hacker hacks a server, you have to assume that your password is compromised. The only way to make sure, that the problem doesn't escalate to other sites, is to not use the same password.

It is not about complexity. It is about diversity.

Steve Gibson then came up with a very good point. He said that if you have to use different passwords for different sites, you would have to come up with so many that you would need to write them down anyway.

So if you have to write them down, why not use a more secure and complex password instead? You would still need to read it off the paper.

That is a very good point, and I agree - in theory.

Except that you do not actually use that many different sites every day. You only use a few. Like gmail, Facebook, Twitter. Many other sites now use single-sign in mechanisms, like "Sign-in with Facebook", "Sign-in with Twitter", or "Sign-in with Google."

---

Accept that you are not in control of the server. Accept that your password is always at risk of being hacked in "offline" server attacks (which is, by far, the most frequent form of attack.)

Save yourself a lot of time by using a highly usable password. One that is secure enough to withstand "online" attacks, but easy enough to use on a daily basis.

Right now, I have a bag of salted peanuts in front of me, so a good "online" password could be "yummy salted peanuts". It is 3 words, 20 characters long, including 3 special characters. It is incredibly easy to remember, and equally easy to type - even on mobile devices.

It will not protect you if the server is hacked, but no other password will either. Only the administrator of the server can make that secure enough. It is more than secure enough for signing into Gmail, Twitter, Facebook, etc.

If, on the other hand, you are the server administrator (or when talking about local security), it is a completely different ball game. Protect people's password, and use a highly secure password for any system that a hacker can gain direct access to. Listen to Steve Gibson. Even better, use his excellent "GRC's Ultra High Security Password Generator."